How do i tell my firewall to start listen also on another outside ipadress assigned by my ISP? I have it used on other firewall right now. So my steps would be shutting down ip address assignment off old firewall interface. Assign that ip address to ASA5510 outside interface and configure NAT.
View 13 RepliesI'm currently replacing my ASA 5505 with a 5510. I have a range of public IP addresses, one has been assigned to the outside interface by the setup wizard (e.g. 123.123.123.124 ) and another I would like to NAT to an internal server (e.g 192.168.0.3 > 123.123.123.125). On my asa 5505 this seemed fairly straigh forward, i.e. create an incoming access rule that allowed SMTP to 123.123.123.125 and then create a static nat to translate 192.168.0.3 to 123.123.123.125. Since I've tried to do the same on the 5510 traffic is not passing through so I'm assuming that the use of additional public IP addresses is not handled in the same way as the 5505? I also see that by default on the 5505, 2 VLANs are created, one for the inside and one for the outside, where as this is not the case on the 5510. Is the problem that VLANs or sub-interfaces need to be created first? I'm doing the config via ASDM.
Everything else seems to OK i.e. access to ASDM via 123.123.123.124, outbound PAT and the site-to-site VPN.
I have two ASA 5510 in an active-standby cluster, not that I think that the fact that they are clustered will be of any importance here so feel free to think of it as a single 5510. The internet connection is delivered in a single RJ45 connection. To be able to use it with the cluster there is a simple unmanaged switch connected between the ISP and the ASA's. I have two subnets with public addresses, for simplicity lets call them 1.1.1.0/24 and 2.2.2.0/24. Default routers are 1.1.1.1 and 2.2.2.1 respectively.
Can I somehow use both these subnets in the ASA's? Im currently using the first subnet and use PAT to direct traffic to internal servers. But if I want to use adresses from the second subnet wont that mess up the routing, since there is no way I can specify the default router for the second subnet? I have as of yet not tried anything, Im just trying to plan ahead and I cant seem to wrap my head around how this could possibly be done.
I have a PIX 515E that I want to use to as a border between my internet connection and my Cisco AIR1131AG. I have configured the PIX to have the outside interface as a dhcp client which gets its dynamic IP address from the cable modem. the AP is connected to the E1 inside interface. Now I could see the E1 interface from the arp table from the AP but I cannot ping it. From the firewall I don't see the ARP table from the firewall. and i cannot ping the AP. what is wrong with the configuration? side note, i am able to connect to the AIR1131AG from my laptop I was not able to retrieve an IP address.
FW1 - CONFIGURATION
interface Ethernet0 description uplink towards the techsavvy modem speed 100 nameif outside security-level 0 ip address dhcp setroute !interface Ethernet1 description >>> WIFI LAN ACCESS <<< nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0
[Code].....
i have an ASA 5510 My ISP provides for me 2 separate public networks. One is routable from outside of the world and one is not (and is used as a gateway for the THAT routable network)
Assume that non routable network is a.a.a.a and routable is b.b.b.b so we have 2 interfaces on asa - a.a.a.1 and b.b.b.1 Physically this network b.b.b.b is behind network a.a.a.a one cable comes to me and plugged to ASA As i said all traffic from/to external(routable) network is going through network a.a.a.a (and a default gateway at ISP) So the problem:For my international partners i need to provide VPN.So the traffic flow is the following:for exaple a client with public ip 1.1.1.1 using cisco VPN client trying to connect to b.b.b.1 The packet arrives to interface a.a.a.1 and............. Being discarded.7Dec 24 201211:09:477100051.1.1.162548b.b.b.110000TCP request discarded from 1.1.1.1/62548 to internet:b.b.b.1/10000 I assume that the ASA discards the packet BECAUSE IT COMES FROM a WRONG interface.Am i right?Also i tried to setup a bypas policy, but no effect?
if possible with the RV042.Primary External IP address uses port forwards for some ports, all okay.I would like to have other external ip addresses assigned to machines on my lan.Basic host multiple web servers, on different IP addresses, using port 80. [code]
From what i am reading, it looks like the RV042 can do this, but I am not real clear what my rules should look like.
I would think my high priority rule for each external IP address would be to deny all traffic first for each machine on the lan.Then create one entry with source 202.x.x.2 port 80 -> 192.168.168.2 ?
How should I set my rules to do this, and what settings should I have on the Nic of the second machine?
I have an ASA 5510. (ASA 8.0(4) ASDM 6.1(3) I have 2 internet connections (only 1 is currently active) Currently all internet and VPN traffic go over 1 interface. What I want , is to move general internet onto the new internet connection but keep VPN traffic on the old internet connection. I can get the internet working but as soon as i do the VPNs go down. VPNs are site to site vpns.
View 4 Replies View RelatedI am a total Cisco novice who has just had a ASA5505 installed to replace a linux freeware firewall (smoothwall).I'm told that the 5505 can't port forward traffic (e.g. ssh) from two external IP addresses to two internal destination machines via the same port # (22 in this example).
View 9 Replies View RelatedTrying to get a service setup with a third party to access our system (ERP web service to access our ERP data, making data available to customers and vendors via internet). They require that I setup four external IP addresses to have access through the firewall. I haven't figured out how to do this. I'm using a Linksys WRV200 router.
View 1 Replies View RelatedI have purchased a subnet of 8 private IP addresses from my ISP. 109.x.x.128/29.The ISP has placed a juniper router within our data centre which is routing purely from 109.x.x.206/30 to 109.x.x.128/29 with the ip of fa0/1 set to .129.
I have linked a cisco 5505 to fa0/1 of the juniper from fa0/0 and configured its IP to .130. I have configured NAT to translate our client pool 192.168.16.x /24 address' to the internet.
Is it possible for the 5505 to route / map my remaing private IP addresses through its external port? I have tried creating a seperate VLAN for a DMZ for our servers to sit within but am returned with a subnetting error as VLAN for my external port is all ready configured within the same subnet.
I have ASA 5505 with base license. I created 3rd vlan on it.it was created. but i am unable to assign IP to it. i assign ip address it takes it. But when i do sh int ip brief it does not show any ip.
Code...
I have an ASA5510 running version 8.4. ICMP is blocked from the internet to the outside interface of our firewall but now our ISP is requesting us to allow ICMP from their network to the outside of our ASA. I need to allow ICMP from three blocks of IP Addresses?
View 9 Replies View RelatedI keep struggling with Cisco ASA. How I can make a certain NAT (RDP, SSL or whatever) and securing it by allowing just one external client with fixed internet IP to make use of this NAT?
View 3 Replies View Relatedhow do i assign IP addresses to 10 computers in a network?
View 3 Replies View RelatedI have a Motorola Surfboard Modem connected to a Netgear 24-port switch. I bought the WAP4410N to provide wireless connectivity from the switch.
All my PC's can get perfect connectivity via the switch but none of my wireless devices can connect at all.
Sometimes I can get 1 PC to connect but what's strange is I can view my networked folders and such but cannot access the internet.
I've upgraded the firmware to the latest May-2012. IPv4 and IPv6 are both set to automatic.
We have 2 firewall (ASA5510) pairs. Each pari configured for Active/Stdby mode.
Pair1 : Internet browising, Remote access VPN, Citirx access & L2L VPN access
For this pair , I need to move the 'outside' interface to Gig 1/3 and change the IP addresses. (minimize the downtime)[code] Remove the ip from outside interface and add the new IP and enable to monitor interface outside?
I just thought if it's possible to make sure that only approved IP addresses for each of divisions of a company can be used.How can I assign for a port one/more public addresses and be sure that only this port is using it/them. Thing is I have only one 24 bit public Network ID provided to me by ISP. One IP address of the range is used for ISP's gateway. So I have 253 addresses to be distributed among divisions. However to avoid IP address conflicts I have to be sure that only dedicated for a division IP address/es is/are used by the division.
Router is 2821.
Switch is 2950.
I imagine I can use the framed-ip-address attribute to assign ip-addresses but there seem to be support for static ip addresses only?A bit of a drag when we're talking 200+ nodes.
View 1 Replies View RelatedMy company (in Healthcare) is going to be changing ISPs for our internet connectivity, and with this change comes a new external IP block. So I need a scheme to migrate over all of my existing VPN tunnels and other items over to new IP addresses. We do have an external router which I plan on doing a route-map to handle which traffic the ISP should go to based on IP. My big concern is for the ASA 5510. Can I setup a second outside interface on the new IP range? Then migrate my VPN tunnels over one-by-one? A drop-dead cutover date is just not possible with all of the external companies that I have to contact to get VPN tunnels updated with. If it's not possible, we have in our budget to get another 5510 next year as a redundant unit. I may be able to get that early and just migrate from one firewall to another.
View 3 Replies View RelatedBasically we have different customers using the same 5510 firewall. We have created one sub interface for every customer on the inside interface. There are differed NAT rules for every customer all using the same block of public IP addresses on the outside interface. They do not have access to each other’s network so I cannot make any exemption rules between two sub interfaces. The problem is for all our customers that they cannot communicate with each other over Internet, Email, Applications etc. using the external IP address. A work around is to use a proxy server, but they do not agree with that. I cannot make exemption rules between sub interfaces for security reasons.
View 8 Replies View RelatedI have a Motorola Surfboard Modem connected to a Netgear 24-port switch. I bought the WAP4410N to provide wireless connectivity from the switch. All my PC's can get perfect connectivity via the switch but none of my wireless devices can connect at all. Sometimes I can get 1 PC to connect but what's strange is I can view my networked folders and such but cannot access the internet. I've upgraded the firmware to the latest May-2012. IPv4 and IPv6 are both set to automatic.
View 1 Replies View RelatedI'm configuring a 5505 for a remote office. Until they are assigned a static ip by the provider I will have to use the providers dhcp address. How do I construct an access list for the outside interface using the external address if I don't know it yet? is there a commnd that will insert the ip address in to the access list once one is assigned?
View 5 Replies View Relatedi'' ve one appliance ASA 5510, v8.X and asdm 6X here u have my configuration :
interface Ethernet0/0 description Link To WAN nameif outside security-level 0 ip address 212.96.23.186 255.255.255.252!interface Ethernet0/1 description Link to LAN(forefront) nameif inside security-level 100 ip address 10.20.80.1 255.255.255.252!interface Ethernet0/2 description Link to CoreSW (DMZ) nameif DMZ security-level 50 ip address 10.70.70.254 255.255.255.0
i have on server ssh (10.70.70.10) on my DMZ .
I wan to enable my external user, i mean outside user to be able to access to this server which is in my DMZ for this port ( ssh)
I was just wondering if it's possible with an ASA 5510 to connect to the external IP address of an internal server from inside the network. I have already set up dns doctoring for dns lookups, and everything is working fine there. We have an application inside the network that tries to connect straight to the external Ip of another internal server. where to look in the ASDM 6.4?
View 2 Replies View RelatedI have the following setup:
R--H1
|
F
|
H2
R: 3840
F: ASA 5510
H: Hosts 1 and 2
I am trying to get SNMP info from the router to H2 but snmpwalk errors with no response from router. I can get info from H1 and neither interface on router is preventing SNMP traffic from coming or going.Is there something that needs to be configured to allow SNMP traffic (orginating from INSIDE) to reply? (Also note that there is no Inspect Maps blocking and SNMP versions).
I may have phrased the topic not too clearly, but I have an external domain name of mail.company.com , I want my users INSIDE the company be able to also get to url..., currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.
I have an ASA 5510. If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.
The 1130ag was the LAP model but I upgraded it to run in autonomous mode. My understanding is that it cannot assign IP addresses but I just want that confirmed. It is not connected to a WLC nor a server that can do DHCP.
View 5 Replies View RelatedI am studying for my CCENT and have two Cisco switches and three Cisco routers. I have 'configured' the switches and routers but how to obtain valid IP addresses to assign to my devices and how I can connect these devices to the internet via my wireless home hub.
View 3 Replies View RelatedI have a Belkin Play N600 HD router. Does it have the capability to let me assign fixed IP addresses to devices like printers, NAS drives, and cameras so I know where they are?
View 2 Replies View RelatedI have 3 external ips from my isp:
222.222.222.221
222.222.222.222
222.222.222.223
The first one I use to provide internet access to my office. The other two I'm going to use for the following: I'm going to deploy a server in internal network which must have 2 external ips on his network interface (& one internal ip on the second,but that's ok: I cannot put an extra network switch before asa & plug this server there: this server is virtual & is on esxi host in internal network. External ips must be assigned to servers' interfacw,bot just forwarded there (ms direct access requirement).
My current config:
!
ASA Version 8.4(3)
!
hostname msk-office
[Code]....
I upgraded my SG500 switch firmware to 1.3.0.59, since there is a new functionality DHCP server v.4 well I must say I came accross the issue I cannot solve. DHCP server assign dynamic address - no hassles. troubles start with static IP hosts.I defined a couple of hosts with static address within the correct subnet. I tried with hardware address and client identifiers. no luck. my switch does not assign the IP address I assigned to the suitable mac address. to define it I use both CLI & Web.
ip dhcp pool host HP-Elliteaddress 10.10.11.7 255.255.255.0 client-identifier 01:d8:d3:85:cf:09:72client-name HP-Ellitedefault-router 10.10.11.1exit
ip dhcp pool host VAIO-Zaddress 10.10.14.108 255.255.255.0 hardware-address 54:53:ed:1c:a1:46
default-router 10.10.14.1exit
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
View 1 Replies View RelatedI have a customer that wants to purchase an ASA 5510 security plus to terminate client VPN access for an external support team. The customer claims to want URL content filtering/proxy which leads me to suggest a CSC SSM 20 plus module. But upon further conversation, he mentioned wanting IPS. In this case, the customer does not seem to know the difference between the URL content filter/proxy and the IPS and uses both terms interchangably.
1. What would you suggest in your expert opinion would be the best module to get for this customer? IPS or CSC
2. If I go with the CSC module, where can I find good documentation on how to configure it and get it up to date?
3. does the CSC module provide any web proxy functionality?